On Thu, Feb 04, 2010 at 04:31:40PM -0500, Khalid Baheyeldin wrote:
> I don't think Paul was saying he would pull Drupal/Gem/CPAN/PECL/...etc
> stuff from any random site. He would be getting them from the authoritative
> repository (e.g. drupal.org, cpan.org, php.net, ...etc.)
>> So the security risk here is minimal.
True. I consider that "random" to some extent too, unless the sites
I download from have a steady signed download process.
I didn't mean to imply that Paul runs just anything. :-)
> So Lori is right. The problem is that people aren't using apt enough.
> >
> > If you go to the trouble of making your own repository, might
> > as well put it on the net, and share it.
>>> That is exactly what CPAN/PECL/Drupal do ...
Well, well! So they do!
http://debian.pkgs.cpan.org/
I assume that solves a good chunk of the problem. Thanks.
> Yes, but Paul's point is that we have a myriad of them for each language.
> Even though it is fairly easy to pull stuff from the respective repository
> for that language, it bypasses APT's dependency checking mechanism.
I'm a little confused by this. Why would they make deb packages
that don't have the right dependencies? Apt just provides what the deb's
themselves ask for.
Unless...
> The issue here is release cycles. Debian is very slow to come with
> stable releases compared ot other stuff. For example, Drupal used
> to have a 6-8 month release cycle for core, and several hundred
> modules. Now the cycle is more like 2 years for core, but there
> are 3,000 or more modules out there, with various maintainers.
> They tend to move at their own pace, often very quick, and hence
> does not fit into the Debian repositories. We had really old stuff
> in Debian as far as Drupal is concerned.
... the dependencies of the manual deb packages mean that you
have to run Debian unstable all the time?
- Chris